Removing the Vundo virus - two and a half day in computer hell

My wife complained that her computer was slow and that all sorts of advertisements popped up during surfing. Though the computer had just been given a clean reinstall of XP-SP3 I could only confirm her experiences. Above that Windows Update-site seemed to have become completely unreachable claiming that it couldnt run because the Update Service on the local computer wasnt running. That was true (and it was not a result of my setup) and turning it back on had no  effects, the problem remained. The Update-site persisted in its complaint. When shutting down the system complained that Rundll32.exe needed to be shut down by the user. Two and a half days in computer hell.

I had just switched to a new virus killer: 'Vipre' from SunbeltSoftware. Pros: isnt such a memory hog as the McAfee I used before and hunts not only for viruses but also for other malware. So I could ditch 'McAfee', 'SpyNoMore' 'Spybot Search and Destroy' and 'Windows Defender' alltogether. The price was very attractive too and I indeed experienced a faster computer. Vipre was on the computer from the moment WXP ran and I always start with a deep scan. That showed nothing, but hte deep scan I ran a few days later revealed that I was infected with the Vundo virus. Apparently that virus had been able to bypass the active shield that Vipre uses to protect my computer. I do not understand how this is possible, but that is what happened.
Vipre offered to clean the virus, but failed in doing so (and didnt report that).
Th Vundo virus is very hard to remove. It apparently changes all the time. I understood from what I found on the web that it does its work when logging in. After the first cleanup effort from Vipre I was left with a system that showed a short 'Loading' message at Windows startup (after login) and I learned that  I had to remove from the HKeyLocal Machine-Software-Microsoft-Windows-Current-Version-Run a key called 'Kawohepono' that instructed rundll32 to start a file called hizupoye.dll.
I deleted the key and also deleted the requested file from System32 and noticed there that there were several other files with similar somewhat Japanese sounding names - quite easy to recognize. I deleted them all and restarted, only to discover that 'Kawohepono' started to complain: where is hizupoye?
Surfing still produced advertisement popups (they're normally blocked), Windows Update was unreachable and the registry showed the Kawohepono key as if it had never been removed.
I alerted SunbeltSoftware and continued my internet search for a solution. Replacing Rundll32 with the original version from disk had no effect. I do not exactly recall everything I
Some victims of this virus - it is around for several years already - seek help from the people behind HiJackThis. This is a program that analyses your system and these - long - analyses are then analysed by very kind and knowledgeable people who tell you what to do. For free even. It should certainly not be taken as a form of criticism that I didnt use their services, I am convinced they do a very good job, but it all seems very time consuming, the sending of your log files and the waiting for the analyses and then trying out their advices and then running the analyses again and so on. I simply cannot wait that long, cannot do anything else while waiting and my wife needs her computer. On top of this HiJackThis doesnt look all that easy, so I decided to search on on my own - and I did find solution(s).
The first program I found was the free 'AutoRun'-program. It identified the allreeady known as well as other infected files - but it failed at removing them.
The second program was Vundofix. That one also identified the virus, but failed removing it as well. I intended to report my experiences to the Vundofix maker, but he recommended to do some things before posting and offered the free programs for it as well. One of those was a malware removing program 'Malwarebytes' (free again) that immediately identified 27 infections on my computer and REMOVED them!!!
I have been free of it since. That is: free of the virus, not free of problems, since the removal gave me back another system.
After login I was taken to a desktop which showed the usual background picture of my choice, an open window of MyDocuments (not my way of working) and that was all: the desktop showed no icons, there was no taskbar and the startmenu(Alt-Esc) was gone completely. I could however work normally: programms would start when I opened the Desktop or Start menu or did it through 'New Task' in Task Manager. But the desktop was gone.
I decided to run SFC/Scannow which looks form missing/corrupted files and replaces them from disk. I did two, two hour runs but they solved nothing. A repair install of Windows XP finally did.
The system is running fine now, after two and a half day full time work. Meanwhile I have received a mail from SunbeltSoftware support to try out a few things and to send them a HijackThis log. However reasonable that may seem I wonder what it says that I have personally found a (free!) solution sooner than SunbeltSoftware support.
I understand that the Vundo virus also escapes other viruskillers (McAfee, Norton) so apparently it happens. Should I stick with Vipre? I do not know yet. I regret it very much that it doesnt tolerate other viruskillers in its environment. And my experience shows that it cannot do the job on its own.

Publication date: may 23 2009


Add new comment